CVE-2024-56201

NameCVE-2024-56201
DescriptionJinja is an extensible templating engine. Prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. This vulnerability is fixed in 3.1.5.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1091329

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jinja2 (PTS)bullseye2.11.3-1vulnerable
bullseye (security)2.11.3-1+deb11u2vulnerable
bookworm3.1.2-1vulnerable
sid, trixie3.1.3-1.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jinja2source(unstable)(unfixed)1091329

Notes

https://github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699
https://github.com/pallets/jinja/issues/1792
Fixed by: https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f (3.1.5)

Search for package or bug name: Reporting problems